{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39336", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T20:28:38.393Z", "datePublished": "2026-04-07T17:40:55.153Z", "dateUpdated": "2026-04-07T18:40:33.123Z"}, "containers": {"cna": {"title": "ChurchCRM has Stored XSS from unescaped config values in HTML attributes", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r8cp-gg58-2r2r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r8cp-gg58-2r2r"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 7.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:40:55.153Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-admin stored XSS path where writable configuration fields are abused. This vulnerability is fixed in 7.1.0."}], "source": {"advisory": "GHSA-r8cp-gg58-2r2r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T18:40:16.848965Z", "id": "CVE-2026-39336", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:40:33.123Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39336", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T18:40:16.848965Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:40:25.551Z"}}], "cna": {"title": "ChurchCRM has Stored XSS from unescaped config values in HTML attributes", "source": {"advisory": "GHSA-r8cp-gg58-2r2r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 7.1.0"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r8cp-gg58-2r2r", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r8cp-gg58-2r2r", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-admin stored XSS path where writable configuration fields are abused. This vulnerability is fixed in 7.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:40:55.153Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39336", "state": "PUBLISHED", "dateUpdated": "2026-04-07T18:40:33.123Z", "dateReserved": "2026-04-06T20:28:38.393Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T17:40:55.153Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF846F61-0C1E-49AB-B691-A01937A6C24D", "versionEndExcluding": "7.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-admin stored XSS path where writable configuration fields are abused. This vulnerability is fixed in 7.1.0."}], "id": "CVE-2026-39336", "lastModified": "2026-04-10T20:57:39.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:45.463", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r8cp-gg58-2r2r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.0)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-10T22:41:21.707057+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version 7.1.0 or later to apply the official fix.", "If upgrading immediately is not feasible, restrict write access to configuration fields and monitor configuration changes.", "Validate or escape configuration values before rendering into HTML attributes.", "Test after patching to ensure that allocated fields no longer accept unescaped content.", "Monitor logs for attempts to modify configuration or load suspicious scripts."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects ChurchCRM\u2019s open\u2011source church management system before version 7.1.0. Administrators who can alter configuration values are able to exploit the stored XSS. All installations using an earlier release and relying on the Directory Reports, Person editor, or self\u2011registration default fields are at risk.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw in ChurchCRM. Configuration values that are rendered into HTML attributes are not escaped, allowing an attacker to inject arbitrary JavaScript. The injection occurs in Directory Reports form fields set from config, person editor defaults in address fields, and external self\u2011registration form defaults. Because the affected data is stored and subsequently displayed to administrative users, the impact is that an attacker who can modify writable configuration sections could persist malicious script that runs in the browser context of any admin who views these pages, potentially compromising session data or executing further attacks.", "risk_and_exploitability": "The CVSS score of 6.1 reflects moderate severity. The low EPSS score indicates that exploitation is currently unlikely but possible. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an attacker to achieve write access to the configuration area and then load an affected page as an administrative user. The exposed attack vector is primarily insider or privileged compromise leading to script execution in privileged browsers."}}}}, "created": "2026-04-08T19:47:02.581775+00:00", "updated": "2026-04-13T14:26:31.011016+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}